Electric transmission and distribution systems are increasingly exposed to cyber attacks. Some of the exposure can be traced to electric power industry's shift to open protocols and standards (e.g. TCP/IP over Ethernet LANs/WANs) for communicating data across the network. These open standards are rapidly gaining acceptance as utilities increasingly migrate to the next generation of IP addressable Intelligent Electronic Devices (IEDs). Remote access is becoming increasingly a standard feature for most of these IEDs. The risk of cyber attack on the devices is aggravated by utility relay department's procedural weakness against unauthorized access to IEDs. The Federal Energy Regulatory Commission's (hereinafter FERC) Critical Infrastructure Protection standards were meant to address this security risk by enforcing mandatory requirements on IT security based procedures. For example, FERC news release of Jan. 17, 2008 stated that the “mandatory reliability standards require certain users, owners and operators of the bulk power system to establish policies, plans and procedures to safeguard physical and electronic access to control systems, to train personnel on security matters, to report security incidents, and to be prepared to recover from a cyber incident.”
Still further complicating security, new power system markets now require an ever increasing openness to network data. For example, FERC Order 888 and 889 allow public access to certain types of transmission data. Such network information could provide an attacker a glimpse of vulnerable sections of the power system. Similarly, increased network interconnection of previously isolated control systems increases the security risks associated with the data communication. Likewise, unmanned substations are increasingly becoming vulnerable to unauthorized physical entries.
On the IT front, there are ever-increasing examples of electronic theft and so called “hactivism.” Cyber attacks have the potential to disable a bulk electric power system. According to one attack scenario, a cyber-attacker could remotely change relay characteristics of a local IED to mis-coordinate the tripping devices. On a larger scale, an attacker could change relay characteristics of a plurality of IP addressable IEDs in a network resulting in mis-coordination of the tripping devices. According to another attack scenario, a hacker could indirectly control breaking devices by maliciously changing relay characteristics such that the local IED will issue a trip signal. These attacks could have immediate and damaging effects and could trigger cascading events leading to power system collapse. For example, a hacker could set the relay characteristics to cause tripping at present loading conditions. In this manner, a cyber attacker could shut down a substation or any portion of a subsystem by controlling a compromised IED.
Alternatively, one could delay the malicious effects until a normal disturbance occurs in a system. This type of cyber attack could be accomplished by purposefully miscoordinating line protection relays resulting in the tripping of more lines than is necessary. In such cases, the compromised relays would reveal intrusion some time after the initial attack.
There is thus a need in the art for improved security measures for energy protection and control devices to minimize risks associated with malicious attacks.